OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Mixed one/two-factor authentication environment


Not necessarily. Unless there are some other unstated requirements, IMO, implementations should be able to deal with the step-up authentication without the logout step. 

 

It starts to get into authentication grading of course which SAML tends to consider a “local” policy matter..  If you accept that a 2fa is stronger than a u/p authentication at both an SP and an IdP, then an implementation should normally accept the 2fa for getting at any resource but the u/p authn can only get at the lower-protected resources.

 

If the user hits  a 2fa-protected resource on the SP first, the initial AuthenticationRequest can ask for the hardware token and the relying party should let them get to all resources.

 

If the user hits a u/p resource on the SP first, the initial AR would be for password and when the user subsequently hits a 2fa-protected resource, it should just “add” to the users authn state by requesting the IdP to authenticate them with the hardware token.  There should be no need to log the user out.

 

On the IdP side, if the user is logged in first with u/p but it then receives an AR asking for h/w token, it should just do the 2fa.  Shouldn’t be a need to log the user out.

 

Well, at least that is how I would implement it.   

 

Rob Philpott

RSA, the Security Division of EMC
Senior Technologist | e-Mail: robert.philpott@rsa.com | Office: (781) 515-7115 | Mobile: (617) 510-0893

 

From: Tanja Sialevri [mailto:tanja.sialevri@gmail.com]
Sent: Friday, December 11, 2009 5:42 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Mixed one/two-factor authentication environment

 

I'm working on a federation scenario where some services require only password authentication and some two-factor authentication (hard token).

I was thinking of starting of with an Authentication Context that requires only password and when the user requires a service that needs two-factor auth, I'd log him out and request that he logins again in an Authentication Context that requires the use of his hard token.

Is this the way to go in a mixed one/two-factor authentication enviroment?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]